I just logged onto the CGI server for the first time so I can set up a blog on my website and I found that I could view the services entire directory structure including viewing the scripts in etc folder. I did not stay in there that long but I can't help thinking that someone who knows hacking, which I don't, just know Linux a bit, could have some fun in there. Am I right to worry??? Ta, Rich.
Having a publicly available CGI service is always a balance between security and usability. The more you lock down the less users can do, and vice versa. There are several files in /etc which need to be seen by all users for many programs to function correctly, and although you might be able to see the files as a 'normal' user, only root can edit or remove them. Unfortunately due to the balance of user freedom and security, there are many things malicious people can do to get on to the CGI platform and abuse it, I've seen many, many different attacks over the years, but have never seen a privilege escalation (that is someone gaining root access to the boxes). Although it may be cold comfort for customers, the CGI platform is completely isolated from the rest of our network, if it was to be compromised fully then people wouldn't be able to get at our more sensitive systems from it.